Researchers have provided a deep dive into the activities of Lyceum, an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs).
Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.
According to a report published on Tuesday by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Counterintelligence (PACT), between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.
In addition, the APT is responsible for a campaign against an African ministry of foreign affairs.
The cybersecurity teams say that several of the “identified compromises” remain active at the time of publication.
Lyceum’s initial attack vectors include credential stuffing attacks and brute-force attacks. According to Secureworks, individual accounts at companies of interest are usually targeted — and then once these accounts are breached, they are used as a springboard to launch spear phishing attacks against high-profile executives in an organization.
The APT appears to